IBM Support

Resetting OS/400 QSECOFR Password Using DST - Version 5 and Higher

Technote (troubleshooting)


Problem(Abstract)

This document describes how to reset the QSECOFR user profile using DST.

Resolving the problem

If the Operating System Security Officer user profile (QSECOFR) password is lost or forgotten, there are ways to reset it:

1. The easiest way would be for another user profile that has *ALLOBJ and *SECADM special authority to use the Change User Profile (CHGUSRPRF) command.

On the operating system command line, type the following:

CHGUSRPRF QSECOFR PASSWORD(newpwd)

where newpwd is the new password. Press the Enter key.

To look for a user profile with *SECADM and authority to QSECOFR, refer to Rochester Support Center knowledgebase document N1017882. To link to N1017882 immediately, click here .
2. Many systems do not have another profile with these special authorities. In that case, use the Dedicated Service Tools (DST) to reset it. The rest of this document describes how to use DST to reset the QSECOFR password.
The following methods can be used. In both cases, an IPL is required. One method allows the IPL to be unattended and may be scheduled to happen at a later time (for example, overnight). The other way would be to do a manual IPL and reset the password during the IPL.

          Resetting QSECOFR with an Unattended IPL

          This method is used when:
          o You can wait a while before you must to use QSECOFR
          o You cannot interrupt the machine for an IPL, and no one will be available to operate the system when the system is IPLing
To reset the system password, you should do the following:
1. From the front panel of the machine, put the system into Manual mode.
2. Use the arrow keys to get to function 21, and press the blue Enter button.
3. On the console, a dedicated service tools (DST) sign-on screen is shown. Sign on with the System Service Tools (SST/DST) QSECOFR user ID and password.
4. Select Option 5, Work with DST Environment, from the Use Dedicated Service Tools menu.
5. Select Option 6, Service Tools Security Data.
6. Select Option 1, Reset operating system default password.
7. The Confirm Reset of System Default Password display is shown. Press the Enter key to confirm your request.
8. You receive a confirmation message telling you the operating system password override has been set.
9. Continue pressing F3 (Exit) to return to the Exit Dedicated Service tools.
10. Take the system out of Manual mode.
The system resets the Operating System QSECOFR user profile to the default shipped value when it is next IPLed. The IPL may be a normal (unattended) one. You must have the system scheduled to IPL or have someone (an operator or someone with authority to power down the system) do it. If you do not, you will have to power down the system from the front panel, and start it from there.

Resetting QSECOFR with an Attended IPL

This method is used when:
o You can not wait, and you need to use QSECOFR now.
o You are available and ready to IPL the system now.
To reset QSECOFR with an attended IPL, you should do the following:
1. With the keylock switch in the Manual position, start an attended Initial Program Load (IPL).
2. When the system displays the IPL or the Install the System menu, select Option 3, Use dedicated Service Tools.
3. On the Dedicated Service Tools (DST) sign-on display, sign on with the System Service Tools (SST/DST) QSECOFR user ID and password.
4. Select Option 5, Work with DST Environment, from the Use Dedicated Service Tools (DST) menu.
5. Select Option 6, Service Tools Security Data.
6. Select Option 1, Reset operating system default password.
7. The Confirm Reset of System Default Password display is shown. Press the Enter key to confirm your request.
8. You receive a confirmation message telling you the operating system password override has been set.
9. Continue pressing F3 (Exit) to return to the Exit Dedicated Service Tools menu.
10. Select Option 1, Exit Dedicated Service Tools.
11. The IPL or Install the System menu is shown. Select Option 1, Perform an IPL.
12. The system continues with a manual IPL. The procedure for performing a manual IPL is described in the System Operation manual.
13. When the IPL has completed, return the system to the Normal mode.
For Both Methods

After the password has been reset, change the password. On the operating system command line, type the following:

Caution: Do not leave the QSECOFR password set to the default. This poses a security exposure. This is the value shipped with every system and is commonly known.

CHGUSRPRF QSECOFR

Press the F4 key to prompt the command. Type a new password, and change the status of the profile to *ENABLED if it is set to *DISABLED. Press the Enter key to have the changes take effect.


Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1
Operating System IBM i 6.1

Historical Number

23531757

Document information

More support for: IBM i
Security

Software version: 5.3.0, 5.3.5, 5.4.0, 5.4.5, 6.1, 6.1.0, 6.1.1, 7.1, 7.2

Operating system(s): IBM i

Reference #: N1019462

Modified date: 07 February 2013


Translate this page: